Idle thoughts – Unstructured musings from Joel Dunn…

Malware…

For the last week (actually 9 days now), I’ve been working on and off cleaning up the PC of a friend. It’s shocking how much malware is out there right now and how easy it is for folks who think they are doing the right thing to be tricked by these “friendly” popups that offer to clean your PC. My friend’s PC had several rogue spyware cleaners on it, and gosh knows what else. It scares me that he’s been doing his taxes, etc. on this box for years. Anyway, I have put about 15-20 hours into cleaning it, and I think (knock on wood) that it’s clean. Here’s what started it, and what I did:

This is a Win2000 machine, and it’s about 8 years old, but still a usable computer…P4, 256MB RAM, 40GB disk. It does what he and his wife want. However, he called when it started crashing (BSOD). At first, I thought it might be a hardware problem, but determined after I put another NIC in the box that it was software. When I got it, the copy of Norton Anti-virus on it hadn’t updated defs in 4 years, and you can guess what that allowed. So, here’s what I did:

3) Ran “HiJackThis” and deleted any obviously bad items (but there’s a lot I don’t know off the top of my head);

4) Ran current versions of AdAware and SpybotS&D;

5) Loaded a current version of Norton (virus defs were 9/2007, but still cleaned a lot of stuff);

6) Ran Activeports, saw that there was still spurious activity with IE processes getting kicked off going to places like “cookingluck.com” and “network.upl.cz”. Not what you wanted to see.

At this point I had taken a bunch of stuff off the box and it was working better, but was still no way trustworthy. However, it was working well enough to put back online for a short while and update the patterns on AdAware & SpybotS&D and Norton AntiVirus. Downloaded Win2000 SP4. Took it back offline. Installed Win2000 SP4. Ran scans with new definitions on all tools, and cleaned off more. When it was online, Norton was stopping the things the downloaders were trying to drop, so it was getting better.

I then put on ZoneAlarm. This is something I wanted on the box since my friend doesn’t have a router, and consequently is exposed to the cable net. This a couple of side effects that helped. First, I could now see and log the IE probes. Also, I set it to not allow IE to access the internet.

So, at this time, things are reasonably clean, and the rogue IE processes getting spawned couldn’t get to where they wanted to go, so I could put it on the ‘net and things would not get worse. However, it wasn’t fixed. I spent several hours trying to figure out where IE was getting launched, but couldn’t make any progress.

Then, in reading some entries on bleepingcomputer.com, I saw a reference to “Anti-malware” by Malwarebytes. I started to read up on it a bit, since there’s a lot of disinformation out there, seemingly placed by the rogue spyware authors. I added up the trustworthy and non-trustworthy references, and felt like it was worth a try. I downloaded v1.05 of Anti-malware, and ran it. It picked up 124 objects, including a couple of memory modules, that nothing else had found. I removed the objects it found (some obviously required a reboot), and now, it’s been nearly an hour and the spurious IE activity is nowhere to be found, per the ZoneAlarm logs. I believe it’s fixed!

I’ll check tomorrow, and if it’s still clean, I’ll re-enable IE, and make sure MS updates, etc. are working like it’s supposed to…